Securing the Premises: Simple Tips for Maximizing Cybersecurity
CUs must regularly review, adapt and upgrade security practices to keep pace with the constantly-evolving threat landscape.
Adding to the pressure, members expect their data and personal information to stay secure within their credit union. If their security is threatened, the institution can risk losing those members and suffering financial and reputational losses.
To counteract this risk, credit unions must implement a comprehensive cybersecurity program that not only incorporates IT system protections, but also addresses the role the credit union’s employees and board members play. Only by addressing the following three often overlooked segments of a cybersecurity strategy can credit unions build a defense that lowers their risk of exposure – and satisfies regulators.
Minimize Human Error
One important factor in maximizing cybersecurity readiness is recognizing that every single person in an organization plays a role in protecting it against breaches. While many credit union executives rely heavily on their IT team to be the main line of defense against attacks, additional considerations should be taken to ensure there are no weak links in the institution’s defenses.
Many damaging data breaches begin as targeted attacks against individuals who have access to valuable data. For instance, social engineering attacks are surprisingly effective at tricking victims into surrendering their login credentials or downloading malware by clicking links that secretly install malicious programs on a credit union’s system.
To reduce the risk of human error, credit unions should train employees on best practices for protecting their institution against cybercrime. For example, employees should be educated on ways to spot, avoid and react to phishing scams; moreover, institutions must ensure employees know what to do if they believe they have fallen victim to such an attack. They can also implement similar strategies to help members avoid risky behaviors that could make their information vulnerable as they go about their daily lives.
Consider the Regulatory Framework
Credit unions are facing increased regulatory pressure to ensure that all systems meet cybersecurity standards. Last year, the NCUA began using a new tool to help examiners assess a credit union’s level of cybersecurity preparedness. The NCUA’s Automated Cybersecurity Examination Tool provides examiners with a process that improves and standardizes supervision related to cybersecurity in all federally-insured credit unions.
The ACET mirrors the FFIEC’s Cybersecurity Assessment Tool, developed for voluntary use by banks and credit unions. Much like the CAT, the NCUA’s examination tool consists of two parts: The Inherent Risk Profile and the Cybersecurity Maturity Level. The NCUA will initially review only credit unions with $1 billion or more in assets while it refines the tool to ensure it scales properly for smaller credit unions.
Practice Makes Perfect
Even the most meticulously developed and resourced incident response plan has limited effectiveness if not executed properly. So, to successfully respond and recover in the event of cybercrime, credit unions must not only have a plan, but also practice that plan until all staff and board members know how to respond in an incident.
One such method of testing is to gather the team and conduct tabletop walkthroughs of mock cybersecurity incidents using the plan. This type of exercise is helpful in identifying gaps in the incident response plan and is typically a building block for future testing. It’s important to practice multiple scenarios with employees so they can best prepare for dealing with unexpected situations and respond quickly to an actual incident in order to minimize damage.
Not limited exclusively to incident response, credit unions can test other aspects of their cybersecurity programs in several ways; furthermore, such tests are increasingly becoming a regulatory expectation. Regular vulnerability assessments, social engineering exercises and periodic penetration tests are important exercises in identifying the strengths, vulnerabilities and validity of security controls. For example, penetration tests generally leverage an outside organization that attempts to hack into the institution in order to provide critical data regarding vulnerabilities, potential weaknesses and how to further secure the tested systems.
These types of simulation testing can provide assurances that security controls are working effectively. Through this testing, credit unions can see how their cybersecurity program stands up to an attack, which can validate whether various controls are working the way they should be, while also exposing gaps and security weaknesses.
According to the Identity Theft Resource Center, compared to other industries, the financial industry has not fallen victim to as many security breaches due to the high standards required by federal and state regulators, and the expectation that these institutions have a higher level of security measures. Regulatory measures for the financial industry may seem daunting, but in the long run, they are helpful in making the organization more secure and less susceptible to breaches.
Remember, members expect their information to remain secure, so it is crucial for credit unions to regularly review, adapt and upgrade their security measures and practices to keep pace with the constantly-evolving threat landscape, as well as to protect member information and the institution as whole.
Tyler Leet is Director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. He can be reached at 888-494-8449 or tyler.leet@csiweb.com.